Why location is sensitive
A trail of positions reveals where someone lives, works, and worships. Even anonymized traces can be re identified because home and work patterns are nearly unique to a person. So location data must be treated as highly sensitive, not ordinary telemetry.
Design defenses
- Minimize. Collect only the positions you actually need and keep them only as long as required.
- Coarsen. Show others a reduced precision position, like a region rather than an exact point, when fine detail is not needed.
- Aggregate. Report area level statistics rather than individual tracks, and avoid releasing fine data for sparse areas where one person stands out.
Access and retention
- Restrict reads. Gate raw location behind strict authorization and log access for audit.
- Encrypt location at rest and in transit.
- Expire historical traces on a retention schedule rather than keeping them forever.
Key idea
Location privacy means treating position as sensitive data, minimizing and coarsening it, restricting access, and expiring history on a schedule.